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DEPARTMENT OF DEFENSE 41. CLEARANCE AND SAFEGUARDING 


CONTRACT SECURITY CLASSIFICATION SPECIFICATION 
(The requirements of the DoD industrial Security Manual 
apply to all security aspects of this effort.) 





a. Facility Clearance Required 
TOP SECRET//SCI 





b. Level of Safeguarding Required 
TOP SECRET/SCI 


3. THIS SPECIFICATION IS: (X and compiete as applicable) 
Date (YYMMDD} 


2. THIS SPECIFICATION IS FOR: (X and compte as applicabie) 


a. Prime Contract Number 
NROOO0-15-P-0330 


C1] ». Subcontract Number 





{1 a. Original (Comprete date in att cases) 





OO b. Revised ' Revision No. Date (YYMMDD) 














¢. Solicitation or Other Number p Due Dale (YYMMDD) Date (YYMMDD) 











[i c. Finat (Complete tem 5 in aff cases) 








4. IS THIS A FOLLO INCONTRACT? [J Yes Ki No. If YES, complete the following: Classified material received or generated 
under: (Preceding Contract Number) is transferred to this follow-on contract. 

5. 1S THIS A FINAL DD FORM 254? 01 Yes KI No. if YES, complete the following: In response to the contractor's request 
dated , retention of the identified classified material is authorized for the period of 


6 CONTRACTOR (include Commercial and Government Entity (CAGE) Code) 














a, Name, Address, and Zip Code 








B. CAGE Code 


| c. Coanizant Security Office (Name, Address, and Zip Code} 





Office of Securify and Counterintelligence 
NRO/OS&CI. 
14675 Lee Rd., Chantilly, VA, 20151-1715 




















7. SUBCONTRACTOR 





a, Name, Address, and Zip Code 


| b. CAGE Code 


c. Cognizant Security Office (Name, Address, and Zip Code) 





8. ACTUAL PERFORMANCE 


a. Location 
Chantilly, VA and various locations as required. 





9. GENERAL IDENTIFICATION OF THIS PROCUREMENT 
Intelligence Community Polygraph Examiner 


10. CONTRACTOR WILL REQUIRE ACCESS TO: NO. 





o 


a. Communications Security (COMSEC) Information | 





B 





b. Restricted Data 


b. CAGE Code 


| a. Have access to classified in 





ity Office (Name, Address, and Zip Code) 





Office of Securit 
NRO/OS&C 
14675 Lee Rd., Chantill 


Counterintelligence 


(b)(3) 





VA. 20151-1715 


14. IN PERFORMING THIS CONTRA 








b. Receive classified documents only 





Re 


c. Critical Nuclear Weapon Design Information 





c. Receive and generate classified material 





OO|O 





X 


d. Formerly Restricted Data 


d. Fabricate, modify, or store classified hardware 





e. Perform services only 











(2) Non-SC} 


f. Have access to U.S. classified information outside the U.S., 








Center (DTIC) or other secondary distribution center 





f. Special Access Information 





g. NATO Information 


_h. Require a COMSEC account 


|B)2 ooo o 








i. Have TEMPEST requirements 











h. Foreign Government Information 








i. Limited Dissemination Information 








k. Be authorized to use the Defense Courier Servi 





j. For Official Use Only Information 





1. Other (Specify) Use of NRO Courier Service is authorized. 





CR) XR) Kis) @ gw 





k. Other (Specify) N/A 





alojolojo)o) 
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42. PUBLIC RELEASE. _ Any information (classified or unciassified) pertaining to this contract shall not be released for public dissemination 
except as provided by the Industrial Security Manual or unless it has been approved for public release by appropriate U.S. Government 
authority. Proposed public releases shall be submitted for approval prior to release [] Direct [Xj Through (Specify) 

NRO OS&CHPSO and cognizant CO. NAM Clause N52 204-009 applies. The contractor shall not use or allow to be used any aspect of this 


contract fer publicity, advertisement, or any other public relations purpose. The contractor must obiain ihe written approval of the Contracting 
Officer before releasing any information related to this contract. Also see additional security requirements as specified in Item 13. 


13. SECURITY GUIDANCE. The security classification guidance needed for this classified effort is identified below. If any difficulty is 
encountered in applying this guidance or if any other contributing factor indicates a need for changes in this guidance, the contractor is 
authorized and encouraged to provide recommended changes; to challenge the guidance or the classification assigned to any information or 
material furnished or generated under this contract; and to submit any questions for interpretation of this guidance to the official identified below. 
Pending final decision, the information involved shall be handled and protected at the highest level of classification assigned or recommended. 
(Fill in as appropriate for the classified effort. Attach, or forward under separate correspondence, any documents/quides/extracts referenced herein, Add additional 
pages as needed tc provide complete guidance.) 

4. For programs that require the contractor to have access to national security information, up to and including SCi, the contractor 

shall comply with the requirements of: 

a. NRO Security Manual (NSM); 

6. National industrial Security Program Operating Manual (NISPOM); 

c. NRO Personne! Security Instruction (PSi); 

d. intelligence Community Directive (ICD) 704, Personnel Security; 

e. Committee for National Security Systems (CNSS) Directive 504, Directive on Protection of National Security Systems from Insider Threat; 

f. For contracts requiring SCi access, NISPOM Supplement 7 (NISPOMSUP); ICD 705, Sensitive Compartmented information Facilities; ICD 
710, Classification and Control Markings System; and the integrated NRO Classification Guide (INCG) apply; 

g. The Intelligence Community and NRO directives, instructions, policy guidance, standards, and speciai access program Classification and 
program security guides as listed on the continuation sheets. 

h. The latest revision to each document referenced above, notice of which has been furnished to the contractor by the Government. 


2. The contractor will be required to comply with all revisions and successor manuals and documents to those listed above, notice of which has 
been furnished to the contractor by the contracting officer. 


3. The following NAM clauses have been incorporated into the contract by reference and may be viewed ion full-text on the NRO Acquisition 
Research Center website on the CWAN or on the Internet (https://arc.westfields.net}: 


N52.204-001 Security Requirements 
N52.204-002 Oral Attestation of Security Responsibilities 
NAM N52.204-005 Protection Against Compromising Emanations 
NAM N52.204-008 Notice of Litigation 
NAM N52.204-009 Release of Contract Information 
‘See Continuation Sheets, 


14, ADDITIONAL SECURITY REQUIREMENTS. Requirements, in addition to ISM requirements, are established for this contract. ) Yes [7] 
No (if Yes, identify the pertinent contractual clauses in the contract document itself, or provide an appropriate statement which identifies the additional 
requirements. Provide a copy of the requirements to the cognizant security office. Use item 13 if additional space is needed.) 

(U) Security requirements stated herein are complete and adequate for safeguarding the classified information to be released or generated 
under this classified effort. Any questions shall be referred to the official named below. 














15. INSPECTIONS. Elements of this contract are outside the inspection responsibility of the cognizant security office. OlYes & 
(if Yes, explain and identify specilic areas or elements carved out and the activity responsible for inspections. Use Item 13 if additional space is needed.) 






16. CERTIFICATION AND SIGNATURE. Security requirements stated herein are complete and adequate for safeguarding the classified 
information to be released or generated under this classified effort. All questions shall be referred to the official named below. 











_a_Tvned Name of Certifying Officer b. Title _ - elephone {include Area Code) 
Program Security Officer 



































d_Aririre nietucle Zip Code} 17. REQUIRED DISTRIBUTION (b)(3) 

Office of Security and Counterinielligence Bd a. Contractor 

NRO/OSEC| 01 b. Subcontractor 

14675 Lee Rd., Chantilly, VA. 20151-4715 I c. Cognizant Security Office for Prime and Subcontractor 





( 2. U.S. Activity Responsible for Overseas Security Administration 


/ q fhe QOS”  e. Administrative Contracting Officer 


I f. Others as Necessary: PSO 
DD FORM 254 (BACK), DEC 1999 
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Continuation Page for DD 254, Section 13 


4. Conformance to the following documents is hereby a requirement of this contract. Future revisions to these documents shall 
supersede the specific versions listed below. The Contractor is responsible for compliance with the most current version 
regardless of any changes to titles or numbering strategies. Contractor must comply with all applicable government regulations 
and laws and their successors; the following list is of particular relevance: 


eaogre 


(owe: 


wT 





Ee e7M7 apes ga: 


E.O. 12333, United States intelligence Activities, 30 Jul 08 

E.O. 13011, Federal Information Technology, 17 Jul 96 

E.O. 13526, Classified National Security Information, 29 Dec 09 

DoDD 5210.48, Polygraph and Credibility Assessment Program, 25 Jan 07 

DoD! 5210.91, Polygraph and Credibility Assessment Procedures, 12 Aug 10 

DoDD 8500.01E, Information Assurance, 24 Oct 02 

DoDi 8500.2, Information Assurance Implementation, 6 Feb 03 

DoDI 8523.01, Communications Security (COMSEC), 22 Apr 08 

DoDI 8560.01, Comm Security (COMSEC) Monitoring and Info Assurance (IA) Readiness Testing, 9 Oct 07 
DoDI 8581.01, Information Assurance Policy for Space Systems Used by the DoD, 8 Jun 10 

CBPI 50-2A, Identity Management - Enterprise Identity, 22 Jun 09 

CBPI 50-28, Identity Management - Privileged User, 22 Jun 09 

CBP! 50-2D, Enterprise Defense - Countermeasures, 22 Jun 09 

CBPI 50-2E, Enterprise Defense - Cyber Incident Response, 22 Jun 09 

CBPI 50-2F, Enterprise Defense - Vulnerability Assessment, 22 Jun 09 

CBPI 50-2G, Information Assurance Reporting - Federal Information Security Management Act, 22 Jun 09 
CBPI 50-2H, Information Assurance Reporting - Information Condition, 22 Jun 09 

CBPI 50-3B, Privacy Assessment, 22 Jun 09 

CBPI 51E-1 Ver. 4, Certification and Accreditation, 31 Mar 11 

CBPI 53D-2, Compliance Reporting - Remediation Plan Process, 7 Jul 10 

CBPI 53D-3, IT-IA-IM Compliance - External Compliance and Reporting, 1 Aug 10 

ICD 403, Foreign Disclosure and Release of Classified National Intelligence, 13 Mar 13 

ICD 503, Intelligence Community Information Technology Systems Security Risk Management, Certification, and 
Accreditation, 15 Sep 08 

ICD 701, Unauthorized Disclosures of Classified information, 14 Mar 07 

ICD 702, Technical Surveillance Countermeasures, 18 Feb 08 

ICS 503-01, Interconnection Security Agreements, 28 Jan 09 

ICS 503-02, Categorizing and Selecting Information Technology Systems Security Controls, 21 May 10 

ICS 700-2, Use of Audit Data for Insider Threat Detection, 3 May 12 

ICS 705-1 Physical and Technical Security Standards for SCIFs, 17 Sep 10 

ICS 705-2 Standards for the Accreditation and Reciprocal Use of SCIFs, 11 Feb 13 

ICPM-2006-700-8, Intelligence Community Modifications to DCID 6/1 Supplement, “Security Policy Manual for SCI 
Control Systems” 

ICPM-2006-700-10, Intelligence Community Update to DCID 6/11, “Controlled Access Program Oversight 
Committee", 12 Jan 07 , 

DCID 1/20P Security Policy Concerning Travel and Assignment of Personnel with Access to SCI, 29 Dec 91 
DCID 6/1 Security Policy for SCI and Security Policy Manual, 1 Mar 95 

DCID 64 Security Controls on Dissemination of Intel Info (Sections V, VI, VII, VII], X and Annex B Only), 11 Jul 01 
DCID 6/7 Intelligence Disclosure Policy, 30 Jun 98 

DCID 6/11, Controlled Access Program Oversight Committee 

CNSSI 1253, Security Categorization and Control Selection For National Security Systems, 15 Mar 12 
CNSSI 4009, National information Assurance (IA) Glossary, 26 Apr 10 

CNSSP No. 22, Policy on Info Assurance Risk Management for National Security Systems, 12 Jan 12 
IAS-12, NRO Information Assurance Strategy, 1 Mar 12 

IASD Rev B, information Assurance Standards Document, 24 Aug 12 

NIST SP 800-137, Info Security Continuous Monitoring (ISCM) for Federal Info Sys and Orgs, 11 Sep 12 
NIST SP 800-30, Risk Management Guide for Information Technology Systems, 1 Oct 01 

NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Info Sys, 1 Feb 10 
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NIST SP 800-39, Managing Info Security Risk: Organization, Mission and Info System View, 1 Mar 11 
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, 1 Aug 02 

NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Info Sys and Organizations, 1 Aug 09 
NIST SP 800-53A Rev 1, Guide for Assessing the Security Controls in Federal Info Sys and Orgs, 1 Jun 10 
NIST SP 800-59, Guide for Identifying an Information Systems as a National Security System, 1 Aug 03 
NBF 50, information Technology, Information Assurance, and Information Management, 3 Apr 12 
NBF-100, Security and Counterintelligence, 3 Apr 12 

ND 50-1, Policy, Governance, and Compliance, 1 Aug 12 

ND 50-2, !T-IA-IM Capital Planning and investment Control, 5 Jun 12 

ND 50-3, Default Classification on NRO TS, SC! Networks, 13 Feb 12 

ND 50-4, Data Protection and Separation, 7 Mar 12 

ND 50-5, information Assurance Workforce Enhancement Program, 17 Apr 13 

ND 50-6, Information Technology Data Center Container, 14 Nov 11 

ND 50-7, Appropriate Use of NRO Information Technology, 7 Mar 12 

ND 50-8, Information Technology Project Management, 3 May 12 

ND 50-9, Software and Information Technology Asset Publish and Reuse, 28 Jun 12 

ND 50-10, Software License and Copyright Statute Compliance, 24 Jan 14 

ND 50-11, Software Procurement via Enterprise License Agreement, 12 Dec 13 

ND 50-12, Corporate IT Procurement Process, 7 Nov 13 

ND 50-13, Information Management, Integration, and Sharing, 30 Jul 12 

ND 50-20, Government Portable Electronic Devices , 24 Feb 14 

ND 50-22, Technology Selection and the Use of the Corporate Product List, 8 Mar 12 

ND 51-1, IT-IA-IM Architecture and Strategy, 6 Jun 12 

ND 52-1, Information Assurance and Program Management, 30 Aug 12 

ND 52-2, System Access, 17 Apr 13 

ND 52-3, Roles and Responsibilities for [A Security Awareness and Training, 13 Nov 12 

ND 52-4, information Technology Audit and Accountability, 2 May 13 

ND 52-5, Assessment, Authorization, and Monitoring, 8 Jun 13 

ND 52-8, Identification and Authentication, 13 Nov 12 

ND 52-10, Assurance of Information Technology Maintenance, 18 Dec 12 

ND 52-11, Assurance of Digital and Non-Digital Information Storage Media Protection, 14 Aug 12 

ND 52-13, Information Assurance Planning, 30 Aug 12 

ND 52-14, Assurance of Personnel Security Information System Controls, 3 Jan 13 

ND 52-15, Risk and Vulnerability Assessments, Reviews, and Updates, 11 Mar 13 

ND 52-17, System and Communications Protection, 7 Dec 12 

ND 53-5, NRO Associated Unclassified Services, 29 Jun 12 

ND 53-6, Industry Partner General Purpose TS/SCI Wide-Area Network Connectivity, 6 Nov 12 

D 53-7, Internet Protocol Version 6, 30 Aug 12 

D 53-12, NRO Implementation of IC Standard for E-mail Display Name Format, 9 Apr 12 

D 53-13, Domain Name Systems, Registered IP, and Autonomous System Number Standardization, 24 Feb 14 
D 53-15, Robust Network Peering on Classified NRO Internet Protocol Networks, 9 Apr 12 

D 53-17, Public Key Enablement, 16 May 12 

D 53-18, NRO Human Resources Authoritative Attribute Source, 16 May 12 

D 53-19, Microsoft Office SharePoint Services, 15 Mar 12 

D 53-20, Unclassified Management.Info System Account Qualifications and Access Management, 10 Feb 14 
D 53-21, Contractor Local Area Network Account Management, 28 Feb 12 

D 53-22, NMIS Account Qualifications and Access Management, 28 Feb 12 

D 53-23, SCMIS Account Qualification and Access Management, 19 Mar 12 

D 53-24, Non-Associated Services, 17 Oct 13 

D 54-1, Spectrum Management, 17 Sep 13 

ND 55-1, Information Privacy, 30 Aug 12 

ND 55-2, Privacy Breach and Complaint Management, 7 May 13 

ND 56-1, Records Management, 12 Mar 13 

ND 56-2, information Review and Release, 20 Feb 14 

ND 100-1, NRO Polygraph Program, 3 May 12 


2222222222222 
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ND 100-2, FQUO Information Handling, 3 May 12 

ND 100-3, Enterprise Antiterrorism/Force Protection Program, 3 May 12 

ND 100-4, Use of Personally Owned or Produced Music Compact Discs, 3 May 12 

ND 100-5, TEMPEST Requirements, 4 May 12 

ND 100-6, TSCM, 3 May 12 

ND 100-7 Guidance on the Use of Plasma Screens in NRO Accredited SCIFs, 3 May 12 

ND 100-8 Portable Electronic Device Procedures for Visitors, 3 May 12 

ND 100-9 Personnel Security Requirements for Industry Reps Working on NRO Proposal Preparation, 3 May 12 
ND 100-10, Use of Project and Program Names, 3 May 12 

ND 100-11, Operations Security, 3 May 12 

ND 100-12, Protection Policy Standard for Critical Program Information, 3 May 12 

ND 100-13, NRO Enterprise Program Protection Policy Standard, 3 May 12 

ND 100-14, Workplace Violence Prevention Program, 3 May 12 

ND 100-15, Departure or Relocation of NRO Personnel, 3 May 12 

ND 100-18, NRO Security Manual, 3 May 12 

ND 100-17, NRO Sponsored Intelligence Community Badges, 3 May 12 

ND 100-18, Unauthorized Disclosure of Classified Information to the Media, 3 May 12 

ND 100-19, Recall/Telephone Roster Classification Guidelines, 3 May 12 

ND 100-20, Mail Screening, 3 May 12 

ND 100-21, Management and Issuance of NRO Credentials, 3 May 2012 

ND 100-22, Wearing Badges at Westfields Videotaped or Filmed Events, 3 May 12 

ND 100-23, NRO Headquarters Gray Badge, 3 May 12 
N 
N 
N 
N 
N 
N 





D 100-24, NRO Headquarters Radiation Screening, 3 May 12 

D 100-25, Foreign Contact/Foreign Travel Reporting, 3 May 12 

D 100-26, Memorabilia, 1 Aug 13 

D 100-27, File Transfer Using Removable Media, 5 Apr 13 

D 100-28, NRO Information Enterprise Account Authentication Policy, 30 Aug 12 

D 100-29, NRO Information Systems Media and Component Sanitization, 3 Apr 13 

ND 100-30, Information Assurance Training Controls for Access to NRO Information Systems, 3 Apr 13 
ND 100-31, Media Protection Controls for NRO Information Systems, 3 Apr 13 

ND 100-32, Maintenance Controls for NRO Information Systems, 3 Apr 13 

ND 100-33, Personnel Security Controls for Access to NRO Information Systems, 29 Jan 13 

ND 100-34, Physical and Environmental Security Protection Controls for NRO Information Systems, 3 Apr 13 
ND 100-35, NRO RESERVE Program, 26 Apr 13 

ND 100-36, Insider Threat Detection Program, 29 Apr 13 

ND 100-37, Security of Controlled Unclassified NRO Information on Non-NRO information Systems, 29 Apr 13 
ND 100-38, Office Automation and information Technology Equipment Classification Labeling, 10 Apr 13 
ND 100-40, FIAT Account Qualification and Access Management, 9 May 13 

ND 100-41, Family Member Access to NRO Headquarters Facilities, 5 Dec 13 

NI 50-8-1, Information Technology Project Management, 27 Apr 12 

NI 50-11-1, Enterprise License Agreement, 4 Dec 13 

NI50-12-1, Information Technology Procurement, 6 Nov 13 

NI 50-22-1, Corporate Products List, 8 Mar 12 

NI 55-2-1, Privacy Breach and Complaint Reporting, 2 May 13 

Ni 56-1-1, Records Creation, 26 Feb 13 

Ni 56-1-2, Records Maintenance and Use, 26 Feb 13 

NI 56-1-3, Records Disposition and Preservation, 26 Feb 13 

N 

N 








56-1-4, Forms Management, 26 Feb 13 

56-2-2, Prepublication Review, 26 Feb 13 

Ni 100-12-1, Identification of Critical Program Information, 24 Sep 12 

Ni 100-25-1, Foreign National Contact and Travel Reporting, 3 Jan 13 

NI 100-27-1, File Transfer Using Removable Media, 3 Apr 13 

Ni 100-29-1, NRO Information Systems Media Sanitization, 3 Apr 13 

NRO CIO Policy Note 2013-04, Basic Input/Output Systems (BIOS) Protection Guidelines, 4 Dec 13 
NRO CIO Policy Note 2014-01, Information System Device Hardening Guidance, 24 Jan 14 
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Reference Documents. The reference documents listed below provide useful information that needs to be considered in the 
performance of the tasks under this contract. 


E.O. 12829 National Industrial Security Program 

E.O. 12951 Release of Imagery Acquired by Space-based National Intelligence Reconnaissance Systems 
E.O. 12972 Amendment to E.0. 12958 

E.O. 12968 Access to Classified Information 

E.O. 13010 Critical infrastructure Protection 

E.O. 13354 Intelligence Reform and Terrorism Prevention Act of 2004 ; Public Law — 108-458 

E.0. 13587 Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and 
Safeguarding of Classified Information 

h. US Code - Title 18 

National Disclosure Policy (NDP)-1 

2012 National Counterintelligence Strategy 

The National Counterintelligence Operating Plan 2008-2010 

|. U.S. Government Insider Threat Detection Guide 

m. DoDD 5105.23 National Reconnaissance Office, 28 Jun 2011 


ere aogp 


ia 


5. Reference Item 6b: This is a Defense Security Service Carve-Out 


6, Reference Items 10e(1) and 11a: All contractor SC! work and access will be at a designated Government or contractor- 
approved SCI facility (SCIF). 


7. Reference Item 10e(2): This contractor will follow the requirements of ICD 710 Classification and Control Markings System 
and DCID 6/6 Security Controls on the Dissemination of Intelligence Information. 


8, Reference 10e(1) and/or 10f: Upon expiration of this contract, the contractor shall request disposition instructions for all 
classified and unclassified project material. The contractor may be directed to properly destroy the material or return it. If 
classified or unclassified project material is to be retained by the contractor, every effort should be taken to transfer it to a follow- 
on contract or similar effort, if applicable. This must be done, however, with CO approval. Unless written authorization by the CO 
to retain specific material for a specific period of time is received, the material shall be returned or destroyed as instructed by the 
NRO Records Control Schedule. Any exception to security policy shall be referred to the CSO for coordination with the 
appropriate agencies and the contracting officer. 


9. Reference Item 10): Guidance for FOUO may be found in NRO Directive 100-2. 


10. Reference Item 11a: Contractor will abide by NRO Security Manual and any site specific security doctrine put forth by local 
PSO. 


11. Reference Item 11¢: Contractor requires access to classified source data up to and including “TOP SECRET//SCI" in support 
of the work effort. Any classified information or extracts generated in the performance of this contract requires the contractor to 
apply derivative classifications and markings consistent with the source documents. Use of "Multiple Sources" on the "DRV 
FROM" line necessitates the inclusion of a listing of the specific source classification guides. 


12. Reference Item 11e: Contract is for an nee Community Polygrapher. Appropriately cleared personnel are required 
to perform this service. 


13. Reference Item 11: NAM Clause N52.204-005 applies. 
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